Re: [fw-wiz] NTLM authentication from DMZ

From: Volker Tanger (volker.tanger@discon.de)
Date: 09/17/02

• Next message: Yin To Chu: "RE: [fw-wiz] Exposed serial connection"
• Previous message: Delafontaine André: "Re: [fw-wiz] Exposed serial connection"
• In reply to: miha@nil.si: "[fw-wiz] NTLM authentication from DMZ"
• Next in thread: Jan van Rensburg: "Re: [fw-wiz] NTLM authentication from DMZ"
• Reply: Jan van Rensburg: "Re: [fw-wiz] NTLM authentication from DMZ"
• Reply: Ben Nagy: "RE: [fw-wiz] NTLM authentication from DMZ"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Volker Tanger <volker.tanger@discon.de>
To: miha@nil.si, firewall-wizards@honor.icsalabs.com
Date: Tue Sep 17 07:51:01 2002

Greetings!

miha@nil.si wrote:
>
> I am trying to set up a WebSweeper proxy in the DMZ, and enable NTLM
> authentication on it. Since it is not server in the domain, I guess it
> needs to communicate with a DC, so it can Authenticate the users as they
> request pages form the proxy.

You need to make the WebSweeper a member of the WinNT-Domain in the LAN.
For this you need NBT (nbname / nbsession) plus probably MS-RPCs for SAM
sync (not sure on the latter) in both directions. As DMS probably is a
separate (non-broadcast) network you'll need a WINS server in the LAN.

Basically having NTLM auth from DMZ is not such a good idea. Better
place an MS-Proxy/ISA in your LAN for authentication and cascade this to
the (then unauthenticated) WebSweeper in the DMZ. This way you can leave
the DMZ machine (more or less) completely separated.

Bye

Volker Tanger
IT-Security Consulting

-- 
discon gmbh
Wrangelstraße 100
D-10997 Berlin
fon    +49 30 6104-3307
fax    +49 30 6104-3461
volker.tanger@discon.de
http://www.discon.de/

• Next message: Yin To Chu: "RE: [fw-wiz] Exposed serial connection"
• Previous message: Delafontaine André: "Re: [fw-wiz] Exposed serial connection"
• In reply to: miha@nil.si: "[fw-wiz] NTLM authentication from DMZ"
• Next in thread: Jan van Rensburg: "Re: [fw-wiz] NTLM authentication from DMZ"
• Reply: Jan van Rensburg: "Re: [fw-wiz] NTLM authentication from DMZ"
• Reply: Ben Nagy: "RE: [fw-wiz] NTLM authentication from DMZ"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Error 401.1 unauthorized login. ... the Windows NT Authentication enabled. ... >server is a Domain Controller. ... even in the same DMZ. ... (microsoft.public.inetserver.iis.security) Re: Exchange 2003 Front End/Back End Servers & Passwords ... Sort of negates the purpose of a DMZ. ... > The authentication was my concern - might be more sensible to post to ... you have to open up a LOT between the DMZ and LAN. ... > up the email server to the world any more than I have to. ... (microsoft.public.exchange.admin) Re: using IIS as SMTP relay, now POP users cannot authenticate ... had numerous SMTP authentication errors in the even logs. ... Our exchange server was configured to send mail to our ISP as a smart ... DMZ to act as a smart host, our firewall SMTP rule was also ... (microsoft.public.exchange.admin) RE: DMZ and AD Authentication ... We have an Apache server in the DMZ that is reverse proxying two ... The firewall allows external access to the DMZ machine and from the dmz ... Subject: DMZ and AD Authentication ... come thru is the web server was compromised. ... (Security-Basics) RE: fedora-list Digest, Vol 6, Issue 266 ... Re: OT: Setting up a forwarding mail domain in DMZ without ... Re: Sound Problem ... downloaded the yum.conf for fedora from Redhat's website. ... Server: Fedora.us Extras ... (Fedora)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint